From nobody@FreeBSD.org  Sun Nov 25 19:39:25 2007
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A114016A417
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 25 Nov 2007 19:39:25 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 8F6CA13C44B
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 25 Nov 2007 19:39:25 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id lAPJdMSB037115
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 25 Nov 2007 19:39:22 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id lAPJdM0R037114;
	Sun, 25 Nov 2007 19:39:22 GMT
	(envelope-from nobody)
Message-Id: <200711251939.lAPJdM0R037114@www.freebsd.org>
Date: Sun, 25 Nov 2007 19:39:22 GMT
From: Hugo Saro <hugo@barafranca.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: netstat/sockstat reporting incorrect information due to MAC_PARTITION
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         118247
>Category:       kern
>Synopsis:       [mac] netstat/sockstat reporting incorrect information due to MAC_PARTITION
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    rwatson
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Nov 25 19:40:00 UTC 2007
>Closed-Date:    Mon Mar 02 11:21:42 UTC 2009
>Last-Modified:  Mon Mar 02 11:21:42 UTC 2009
>Originator:     Hugo Saro
>Release:        FreeBSD 7.0-BETA3 amd64
>Organization:
>Environment:
FreeBSD samba.multiverse.local 7.0-BETA3 FreeBSD 7.0-BETA3 #0: Sun Nov 25 03:53:45 WET 2007     klr@zaurak.bsdlan.org:/usr/obj/usr/src/sys/ZAURAK  amd64

>Description:
sockstat and netstat do not show the correct number of connections while security.mac.partition.enabled is set.

I am starting the jail with setpmac partition/XXX /etc/rc.d/jail start samba.

See below.

Should this happen ? I am very interested in further isolating jails with mac_partition, but not being able to netstat/sockstat from inside the jail (works fine from the host, as expected, however if done under setpmac, the following happens:

host# setpmac partition/9009 netstat -anfinet && echo -- && sockstat -4l
--
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
root     sshd       39843 3  tcp4   10.0.90.1:22          *:*
root     smbd       39813 18 tcp4   10.0.90.1:445         *:*
root     smbd       39813 19 tcp4   10.0.90.1:139         *:*
root     nmbd       39809 6  udp4   10.0.90.1:137         *:*
root     nmbd       39809 7  udp4   10.0.90.1:138         *:*
root     nmbd       39809 8  udp4   10.0.90.1:137         *:*
root     nmbd       39809 9  udp4   10.0.90.1:138         *:*
root     sshd       1462  3  tcp4   192.168.0.110:22      *:*

host# netstat -anfinet && echo -- && sockstat -4l
Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp4       0      0  10.0.90.1.139          192.168.0.1.55432      ESTABLISHED
tcp4       0      0  10.0.90.1.22           192.168.0.1.54898      ESTABLISHED
tcp4       0      0  10.0.90.1.139          *.*                    LISTEN
tcp4       0      0  10.0.90.1.445          *.*                    LISTEN
tcp4       0      0  10.0.90.1.22           *.*                    LISTEN
tcp4       0      0  192.168.0.110.22       *.*                    LISTEN
tcp4       0     48  192.168.0.110.22       192.168.0.1.52590      ESTABLISHED
udp4       0      0  10.0.90.1.138          *.*
udp4       0      0  10.0.90.1.137          *.*
udp4       0      0  10.0.90.1.138          *.*
udp4       0      0  10.0.90.1.137          *.*
--
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
root     sshd       39843 3  tcp4   10.0.90.1:22          *:*
root     smbd       39813 18 tcp4   10.0.90.1:445         *:*
root     smbd       39813 19 tcp4   10.0.90.1:139         *:*
root     nmbd       39809 6  udp4   10.0.90.1:137         *:*
root     nmbd       39809 7  udp4   10.0.90.1:138         *:*
root     nmbd       39809 8  udp4   10.0.90.1:137         *:*
root     nmbd       39809 9  udp4   10.0.90.1:138         *:*
root     sshd       1462  3  tcp4   192.168.0.110:22      *:*




I might be missing something obvious, but MAC_PARTITION shouldn't affect the output of netstat/sockstat.
>How-To-Repeat:
host# sysctl security.mac.partition.enabled=0
security.mac.partition.enabled: 1 -> 0

jail# netstat -an -f inet
netstat: kvm not available: /dev/mem: No such file or directory
Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp4       0      0  10.0.90.1.139          192.168.0.1.55432      ESTABLISHED
tcp4       0    160  10.0.90.1.22           192.168.0.1.54898      ESTABLISHED
tcp4       0      0  10.0.90.1.139          *.*                    LISTEN
tcp4       0      0  10.0.90.1.445          *.*                    LISTEN
tcp4       0      0  10.0.90.1.22           *.*                    LISTEN
udp4       0      0  10.0.90.1.138          *.*
udp4       0      0  10.0.90.1.137          *.*
udp4       0      0  10.0.90.1.138          *.*
udp4       0      0  10.0.90.1.137          *.*


host# /etc/rc.d/sysctl reload
security.mac.partition.enabled: 0 -> 1

jail# netstat -an -f inet
netstat: kvm not available: /dev/mem: No such file or directory

>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->rwatson 
Responsible-Changed-By: remko 
Responsible-Changed-When: Sun Nov 25 19:41:55 UTC 2007 
Responsible-Changed-Why:  
Hi Robert, this might be something for you to look at.. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=118247 

From: Robert Watson <rwatson@FreeBSD.org>
To: Hugo Saro <hugo@barafranca.com>
Cc: bug-followup@FreeBSD.org, bz@FreeBSD.org
Subject: Re: kern/118247: MAC: netstat/sockstat reporting incorrect information
 due to MAC_PARTITION
Date: Wed, 22 Oct 2008 14:27:35 +0100 (BST)

 Dear Hugo:
 
 This problem may be affected by Bjoern's recent commits to mac_partition.c; 
 could you update (once the change has propagated to cvsup) and confirm whether 
 things improve?
 
 Author: bz
 Date: Wed Oct 22 08:52:45 2008
 New Revision: 184155
 URL: http://svn.freebsd.org/changeset/base/184155
 
 Log:
    MFC: r183970
 
      Use the label from the socket credential rather than the
      solabel which was not set by the mac_partition policy.
 
    Approved by:  re (rwatson)
 
 Modified:
    stable/7/sys/   (props changed)
    stable/7/sys/security/mac_partition/mac_partition.c
 
 Modified: stable/7/sys/security/mac_partition/mac_partition.c
 ============================================================================
 ==
 --- stable/7/sys/security/mac_partition/mac_partition.c Wed Oct 22 08:43:35
 2008    (r184154)
 +++ stable/7/sys/security/mac_partition/mac_partition.c Wed Oct 22 08:52:45
 2008    (r184155)
 @@ -46,6 +46,7 @@
   #include <sys/priv.h>
   #include <sys/proc.h>
   #include <sys/sbuf.h>
 +#include <sys/socketvar.h>
   #include <sys/systm.h>
   #include <sys/sysctl.h>
 
 @@ -221,7 +222,7 @@ partition_check_socket_visible(struct uc
   {
          int error;
 
 -       error = label_on_label(cred->cr_label, solabel);
 +       error = label_on_label(cred->cr_label, so->so_cred->cr_label);
 
          return (error ? ENOENT : 0);
   }
 
 
 Robert N M Watson
 Computer Laboratory
 University of Cambridge
 
 On Sun, 25 Nov 2007, remko@FreeBSD.org wrote:
 
 > Old Synopsis: netstat/sockstat reporting incorrect information due to MAC_PARTITION
 > New Synopsis: MAC: netstat/sockstat reporting incorrect information due to MAC_PARTITION
 >
 > Responsible-Changed-From-To: freebsd-bugs->rwatson
 > Responsible-Changed-By: remko
 > Responsible-Changed-When: Sun Nov 25 19:41:55 UTC 2007
 > Responsible-Changed-Why:
 > Hi Robert, this might be something for you to look at..
 >
 > http://www.freebsd.org/cgi/query-pr.cgi?pr=118247
 >
State-Changed-From-To: open->feedback 
State-Changed-By: rwatson 
State-Changed-When: Mon Feb 9 23:34:51 UTC 2009 
State-Changed-Why:  
Feedback requested -- could you confirm whether the following fix 
improved things for you: 

Author: bz 
Date: Wed Oct 22 08:52:45 2008 
New Revision: 184155 
URL: http://svn.freebsd.org/changeset/base/184155 

Log: 
MFC: r183970 

Use the label from the socket credential rather than the 
solabel which was not set by the mac_partition policy. 

Approved by: re (rwatson) 

Modified: 
stable/7/sys/ (props changed) 
stable/7/sys/security/mac_partition/mac_partition.c 

Full patch is available in the PR: 

http://www.freebsd.org/cgi/query-pr.cgi?pr=118247 

Thanks, 


http://www.freebsd.org/cgi/query-pr.cgi?pr=118247 
State-Changed-From-To: feedback->closed 
State-Changed-By: rwatson 
State-Changed-When: Mon Mar 2 11:20:54 UTC 2009 
State-Changed-Why:  
Feedback timeout; this problem is believed resolved in the 7.x and 8.x 
branches; if you are able to confirm this, or are still able to reproduce 
this problem, please follow up on this PR and I will re-open it.  Thanks 
for the report! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=118247 
>Unformatted:
